Are you using the same password for everything? You probably are, aren’t you? “That’s okay,” you’re thinking, “It’s a really, really hard password. Nobody will ever get it.”
Not so fast, fish-breath.
A recent post on the Twitter Status blog details a new way that some crafty crackers are stealing passwords. It basically works like this: You join a perfectly legitimate online community, a website that lets you share your favorite YouTube piano-playing-cat videos, for example, or a forum to discuss new ways of getting fourth-graders to study American history. A few months pass and you are happily sharing videos of Mittens hammering Beethoven or explaining to new friends why 8-year olds should learn about Crispus Attucks. Little did you know that the community you joined — the one that’s hosted in San Francisco and run by an innocent-sounding little Internet start-up — is actually owned by a couple of Russian teenagers who built the thing overnight for $32.
Now these kids have a database of all 8,319 other feline-loving and / or elementary school teachers that are using their site. And they have your username. And your email address. And your password.
And it’s the same password you use at Amazon and PayPal, isn’t it? It’s the same password you used when you created your GMail account and your Twitter account, too, isn’t it? And I’m guessing you used the same email address and password for iTunes, right? Now, my friend, you are screwed.
There’s really only one way to avoid this, of course:
Don’t use the same password for everything!
That’s a tall order these days. There’s no way I’d remember the dozens and dozens of passwords I use on a daily basis if every single one was unique. I have a set of five or six different passwords that I use. Some are for throwaway use, like on video game sites or e-commerce sites I know I’ll not care if they’re stolen. Some are for social networking sites, like Twitter and WordPress and Facebook. And some — the ones that have lots of punctuation marks and numbers and are more than eight characters long — are for banks and credit cards. That way if someone ever does manage to hack Twitter it doesn’t mean they can get into my checking account, too.
It’s not the best solution. The best solution would be to actually create a unique username and password for every single account you ever create, and to use different GMail aliases for all of them. But nobody is that paranoid. Are you?
Just switched to using lastpass.com – now I have unique 12 character alpha/numeric/punctuation based passwords for every site, but only one (VERY strong) password to remember to use them.
Is lastpass.com run by a couple of Russian teenagers that built it overnight for $32.